UK: Does Lloyd v Google Decision Affect Data Protection Claims Regarding The Use Of Cookies On Websites

The short answer is yes! 

Background

In Lloyd v Google, Mr Lloyd sought to bring a representative action against Google LLC on behalf of millions of Apple iPhone users, alleging that Google had collected data from users of Apple's Safari browser without their knowledge or consent in breach of its obligations as a data controller under the Data Protection Act 1998 (DPA). 

The Supreme Court considered whether damages were recoverable under the DPA for loss of control of data alone where there was no identifiable damage or distress. Section 13 of the DPA provided that an individual was only entitled to compensation where "damage" or, in certain specific circumstances, "distress" was suffered as a result of the breach. 

Supreme Court judgment

The Supreme Court held that for an individual be compensated under the DPA, they would have to show "some unlawful use of personal data relating to that individual and that the individual suffered some damage as a result."

The claimant had argued that (i) "damage" included "loss of control" over personal data and (ii) that interference with a claimant's rights constituted "damage".  This is frequently the type of "damage" alleged in data breach cases relating to unauthorised use of cookies on websites. 

The Supreme Court rejected this approach, ruling that "damage" was intended to be limited to material damage (such as financial loss) and distress distinct from, and caused by, unlawful processing of personal data in breach of the DPA.   

Implications for cookie-related data breach claims

The Supreme Court judgment in Lloyd v Google will provide assistance for those facing claims by individuals claiming compensation under data protection legislation. As a result of the decision it is clear that loss of control of data will not be enough to support a claim. Individuals bringing data breach claims after visiting a company's website which uses cookies without their consent may struggle to demonstrate they have suffered any (or sufficient) "damage" or "distress".

Such claims are usually framed very broadly without any specific detail as to the "damage" or "distress" alleged to have been caused by the unauthorised use of non-essential cookies. Although it is still good practice for companies to ensure that visitors to their website can opt in or out of any non-essential cookies so as to ensure compliance with the PECR and the GDPR, the Lloyd v Google judgment should assist in defending cookie-related data breach claims which appear opportunistic in nature and in which a claimant fails to demonstrate any material damage or distress caused as a result of the cookie usage.     

Please click here for a more detailed analysis of the Supreme Court judgment in Lloyd v Google.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.